A large scale cyber campaign has been uncovered in which tens of thousands of outdated or end of life ASUS routers have been compromised across several regions, mainly Taiwan, the United States, and Russia. SecurityScorecard’s STRIKE team has named this global activity Operation WrtHug. The attackers are using old and vulnerable devices to create a massive network of hijacked routers.
Growing Global Impact
Infections have also been observed in different Southeast Asian and European countries. Over the last six months, researchers identified more than fifty thousand unique IP addresses linked to routers that have been taken over worldwide. These devices appear to share the same unusual self signed TLS certificate that expires one hundred years after April 2022, which strongly indicates a coordinated campaign.
SecurityScorecard reported that ninety nine percent of the compromised services showing this certificate belonged to ASUS AiCloud. This proprietary feature allows remote access to local storage via the internet. According to the researchers, the attackers are abusing AiCloud and using existing vulnerabilities to gain elevated privileges on end of life ASUS WRT routers. While the operation is not exactly an Operational Relay Box, it shows similarities to China based ORB style botnets.
Vulnerabilities Used in the Attack
The campaign appears to rely on multiple known flaws in outdated ASUS WRT routers. These include:
CVE-2023-41345 , CVE-2023-41346 , CVE-2023-41347 , CVE-2023-41348 , CVE-2023-39780 , CVE-2024-12912, and CVE-2025-2492.
One of these vulnerabilities, CVE-2023-39780, has also been linked to the Chinese botnet AyySSHush, also known as ViciousTrap. Other recent ORB style groups that target routers include LapDogs and PolarEdge.
Researchers also observed seven IP addresses that showed signs of compromise linked to both WrtHug and AyySSHush. This overlap suggests a possible connection, although there is no confirmed proof besides the shared exploitation of the same vulnerability.
Targeted ASUS Router Models
The following router models have been identified as targets in this campaign:
• ASUS 4G AC55U
• ASUS 4G AC860U
• ASUS DSL AC68U
• ASUS GT AC5300
• ASUS GT AX11000
• ASUS RT AC1200HP
• ASUS RT AC1300GPLUS
• ASUS RT AC1300UHP
Possible Attribution and Motivation
The identity of the threat actor remains unknown, but the heavy focus on Taiwan and the resemblance to previous China linked ORB tactics suggest a China affiliated group may be behind the operation. The campaign fits the pattern of threat actors attempting to expand their influence by compromising large numbers of network devices across many regions.
How the Attackers Maintain Persistence
Attackers use chains of command injection flaws and authentication bypass techniques to deploy backdoors that remain active even after reboots or firmware updates. This persistence is often achieved by abusing legitimate router features such as SSH access, allowing the attackers to keep long term control of the devices.
